The OAIC's enforcement priorities and activities for 2026 reflect the Australian Government and the public's evolving understanding and expectations when it comes to data protection collection and handling practices and the new industries which will come under scrutiny.

Earlier this month, the Office of the Australian Information Commissioner (OAIC) commenced its first privacy policy compliance sweeps across six industries, focusing on the collection of personal information in specific circumstances.
Specifically:

1. Real estate agents – The collection of individuals’ personal information during property inspections.
2. Chemists and pharmacists – The collection of personal information for paperless receipts and identity information to dispense medication.
3. Licensed venues – The collection of identity information to enable individuals to access a venue.
4. Car rental companies – The collection of identity and other personal information to enter into a car rental agreement.
5. Car dealerships – The collection of personal information to facilitate a vehicle test drive.
6. Pawnbrokers and second-hand dealers – The collection of identity information from individuals who wish to sell or pawn goods.

Where did this come from and where will it go?

The privacy policy compliance sweeps come off the back of a number of legal and policy developments in the Australian data protection and privacy sphere.

In 2023, the Australian Government passed the first tranche of amendments to the Privacy Act 1988 (Cth) (Privacy Act) which included amendments which:

1. Enhanced and empowered the OAIC to enable it to better monitor compliance, investigate complaints and potential contraventions of the Privacy Act and undertake public inquiries, such as in relation to systemic industry-wide acts or practices.
2. Introduced a 'low tier' civil penalty provision. This penalty regime is concerned with the failure to comply with certain parts of the Privacy Act's Australian Privacy Principles (APPs), including the failure to have a compliant privacy policy and the failure to provide written notice of certain uses or disclosures of personal information. Corporations may be liable for up to $330,000 and $66,000 for other entities, for a breach of the 'low tier' regime.
3. Expanded the OAIC's ability to issue infringement notices for breaches, complimenting the 'low tier' civil penalty regime, which may impose a maximum penalty of up to $66,000 for listed corporations ($19,800 for other entities).
4. Introduced a 'mid-tier' civil penalty provision. This penalty regime is concerned with the interference with the privacy of an individual (as opposed to a serious interference with privacy). Corporations may be liable for up to $3,300,000 and other entities for up to $660,000 for a breach of the 'mid-tier' regime.

The OAIC's regulatory priorities for the 2025-2026 financial year identify that its key focus is the prevention of harm to an individual from an entity's privacy practices.¹Key regulatory priorities include:

1. Rebalancing power and information asymmetries, by focusing on sectors and technologies that compromise rights and create imbalances, such as advertising technology, artificial intelligence and excessive collection and retention of personal information.
2. Rights preservation in new and emerging technologies, such as facial recognition technology (FRT) and biometric scanning and surveillance technologies in apps, vehicles and other smart devices.

These regulatory priorities broadly reflect the change in the public's APP enquiries made to the OAIC over the last five years, with the top enquiries focusing on APP 3 (collection), APP 6 (use or disclosure), APP 11 (security) and APP 12 (access). These developments underscore the OAIC's sharpened focus on proactive enforcement and transparency, particularly in sectors where emerging technologies intersect with high-risk data practices.

The Privacy Commissioner has recently made determinations in relation to entities collecting sensitive biometric data using FRT. These entities sought to rely on the permitted general situation exemption to the collection of personal information in section 16A of the Privacy Act, to prevent a serious threat to life, health or safety.² The Privacy Commissioner's rejection of their ability to rely on this exemption focused on several key principles:

1. Transparency and notification: The entities both failed to adequately notify individuals about biometric data collection and use, and their privacy policies lacked sufficient detail on data types and purposes for collection.
2. Suitability of FRT: The FRT tool was unsuitable as it relied on repeat offending and did not address singular unlawful events. The targeted activity was 'not of the kind that could be assisted by the FRT system'.
3. Necessity and proportionality: FRT must be strictly necessary and proportionate to the risk being addressed. Here, it involved indiscriminate collection of sensitive biometric data to address minimal risk, making it disproportionate and invalid for exemption.
4. Consideration of alternatives: Although effective and cost efficient, FRT was the most privacy intrusive option and not preferrable to alternatives. It was only 'an additional and complementary tool available'.

Although the exemption test differs from APP 3's “reasonably necessary” standard, the Privacy Commissioner’s emphasis on suitability, proportionality and alternatives signal a stricter view of what can be considered necessary when collecting sensitive biometric data. Organisations must justify the purpose of collection, show less privacy intrusive options were considered and ensure the method selected is proportionate to the risk being addressed.

Australian data protection and privacy lessons for 2026

The OAIC's first ever privacy policy sweep is unlikely to be the last. With the OAIC receiving additional funding year on year and receipt of funds from successful judgments and settlements, together with the public's increasing awareness and scrutiny of privacy practices, this privacy sweep signals a mandate for a proactive regulator in the Australian data protection and privacy sphere.

Entities should continue to ensure that their privacy policies are accurate, clear, transparent and reflect their current and future business practices. Further, to comply with their obligations under the Privacy Act and its APPs, and given the OAIC's concerns about rebalancing power between entities and individuals, consideration should be given to whether the collection of each type of personal information is necessary and proportionate for the purposes for which it is collected.

For assistance with updating privacy policies and privacy practices, please contact your Australian or Global Clifford Chance Tech team contact.

------------------------------------------------------------------------------------------------

¹_{https://www.oaic.gov.au/news/media-centre/oaic-releases-regulatory-action-priorities-for-2025-26.}

 ²_{Commissioner Initiated Investigation into Bunnings Group Limited (Privacy) [2024] AICmr 230 (29 October 2024); Commissioner Initiated Investigation into Kmart Australia Limited (Privacy) [2025] AICmr 155 (26 August 2025). Both of these determinations are subject to review.}